Welcome to part four of our COSO 2013 blog series. We have covered COSO’s guidance around the development of a control environment and execution of risk assessments. In this blog, we will focus on how to use the output of your risk assessments to properly select, design, and implement control activities.
How are Risk and Control Activities related?
In our last blog, we defined risk as, “the possibility that an event will occur and adversely affect the achievement of objectives.” Risk is inherent to every entity, department, process, and function. Typical responses to identified risks include avoidance, transfer, mitigation, and/or acceptance (assuming the risk falls below the organization’s risk tolerance). It’s nearly impossible to avoid or transfer all risk, and highly unlikely that most risks will be within your organization’s risk tolerance. It’s for this reason that risk mitigation is the most common response to identified risks. Risk mitigation is achieved through the selection, design, and implementation of control activities.
What are Control Activities?
COSO defines control activities as, “actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out.” Stated more simply, controls are specific activities performed by persons or systems that are designed to ensure that objectives are met.
The control activities component of internal control includes three principles:
- “The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
- The organization selects and develops general control activities over technology to support the achievement of objectives.
- The organization deploys control activities through policies that establish what is expected and in procedures that put policies into action.”
Control activities reduce the likelihood of a risk occurrence. For risks with a high impact and likelihood, it may be necessary to implement multiple controls to sufficiently reduce the risk to acceptable levels.
Read: Simplify Internal Controls for ServiceNow GRC Success
One of the last components of control activities, is the development of policies and procedures that align with current risks and control activities, as well as clearly defined accountability. Documented policies and procedures are an effective way to communicate control activities and expectations to employees.
Not Just Any Control Activities
Remember, the purpose isn’t to implement controls, but rather to mitigate risk, in the most efficient and effective way possible. For this, you need Performance-Based Control Design™, an approach that makes it possible to design a control that both manages risk AND improves performance. Performance-Based Control Design™ takes all aspects of your business into consideration, including your industry, clients, business objectives, and your IT operations, and then harmonizes your controls to be in tune with your business.
Put simply, Performance-Based Control Design™ means applying controls at the right time, in the right places, and with the right intensity, to improve performance, keep costs low, improve business agility, and manage risk.
Read: The Future of Control Design
COSO 2013’s Major Impacts on the Control Activities
The updated framework does not change the methodology for how control activities should be implemented. However, the new framework stresses the importance of applying controls at the various levels of an organization (e.g. entity, departments, locations, functions). This and/or the increased focus on the following may impact your organizations’ control environment:
- Linkage between control activities and the risk assessment
- Use of mixed control activity types (preventive, detective, corrective)
- Use of technology for automated controls
- Assignment of accountability for policies, procedures, and control activities.
- Governance and control over outsourced processes and third-party service providers.
How can ServiceNow Help with your Control Activities?
Designing a control never seems to be that difficult. However, many organizations struggle to ensure that the controls that they have designed and implemented continue to operate effectively throughout the year. Demand gets high, resources get constrained, and sometimes control activities get pushed to the wayside. Moreover, it is difficult to keep track of control evidence and approvals that are scattered throughout the organization on flat files, emails, and shared drives.
ServiceNow simplifies control activities by integrating controls directly with the service management applications that are built on the platform. These are a few of the best ServiceNow applications that can supercharge your control activities.
Governance, Risk, and Compliance
Once again, this should not come as a surprise. The GRC application in ServiceNow is the core component of control activities on the platform. Similar to the risk register we discussed in our previous blog, ServiceNow GRC allows organizations to track each and every control that exists in their business, including important meta-data like control frequency, type, and control owner. This provides clear accountability for the operating effectiveness of each control. Controls can then be related to one or more risks that are mitigated by the control. This gives risk managers the ability to quickly report on the types of controls (i.e. Preventative, Detective, and Corrective) that are implemented to mitigate a risk.
Advanced query conditions can be configured to assist with certain control tests. For example, ServiceNow can automatically review the previous week’s change records and identify any changes that were not approved. Automated control tests can be run on ServiceNow tables and any systems that are integrated with ServiceNow. Control automation provides consistency in control execution and reduces human error.
Vendor Performance Management
The increased reliance organizations have on cloud computing, outsourcing agreements, and third-party service providers to perform mission critical processes exposes the need to effectively manage vendor risk. This can be difficult without the help of a centralized application. ServiceNow provides the ability to define vendor objectives and SLA’s, manage contracts, and assess and rank vendor performance across a variety of categories, including compliance.
Read:Contract Negotiation Checklist – Don’t forget Your Pre-Nup
Service Management Suite
We could go down the list of all ServiceNow applications and explain how each supports implementation of control activities. Suffice it to say that the entire service management suite, whether core ITSM (e.g. incident management, problem management, change management, etc.), HR Case Management, Facilities Management, or a custom developed application, can be used to implement effective control activities. After all, these are the processes that run your business. When implementing each of these applications, be sure to identify where risks exist, and what controls should be in place to mitigate the risk. Then build your workflows and automations to ensure that control activities are built into the process.
Now that we’ve covered the impacts that COSO 2013’s update has had on guidance surrounding your control environment, risk assessments, and control activities, we’ll be moving on to information and communication next.
About the authors
“Life is too short to have only one OS” - nathan dupirack
